Regulatory Guide 5.65

Vital Area Access Controls,Protection of Physical Security Equipment,And Key and Lock Controls

ML003739336
Person / Time
Issue date:	09/30/1986
From:	Office of Nuclear Regulatory Research
To:
References
RG-5.65
Download: ML003739336 (12)
v • d • e

U.S. NUCLEAR REGULATORY COMMISSION

Septmber 19W

A

0 REGULATORY GUIDE

OFFICE OF NUCLEAR REGULATORY RESEARCH

REGULATORY GUIDE 5.65 VITAL AREA ACCESS CONTROLS, PROTECTION OF PHYSICAL SECURITY

EQUIPMENT, AND KEY AND LOCK CONTROLS

(Task SG 302-4)

A. INTRODUCTION

The NRC's principal requirements with respect to the protection of items of vital equipment at nuclear power reactors are contained in 10CFR Part73, "Physical Protection of Plants and Materials." These requirements are aimed at safeguarding against sabotage that could cause a radiological release. The Commission has pub lished amendments to 10CFR Part73, §§ 73.55 and

73.70, that clarify safeguards policy for power reactors on control of access to vital areas during emergency and nonemergency situations, protection of certain physical security equipment, and key and lock controls. These revised requirements were developed to clarify. or modify certain existing physical protection requirements.

The amendments were designed to foster plant safety while maintaining adequate safeguards.

This guide presents approaches that are acceptable to the NRC

staff for implementing the amendments. Emphasis in the guide is on minimizing the safeguards impact on safety.

Any information collection activities mentioned in this regulatory guide are contained as requirements in

10 CFR Part 73, which provides the regulatory basis for this guide. The information collection requirements in

10 CFR Part 73 have been cleared under OMB Clearance No. 3150-0002.

B. DISCUSSION

The objective of controlling access to protected and vital areas of nuclear power reactors is to ensure that only authorized persons with legitimate need be allowed access to such areas. This regulatory guide describes measures the NRC staff considers acceptable to implement regulatory requirements on access controls.

The purpose of these measures is (I)to ensure adequate access for safety purposes while providing necessary physical security, (2)to provide protection of specified physical security equipment which, if sabotaged, could significantly affect the security of the plant, and (3) to provide guidance for key, lock, and combination changes when an employee with access to them leaves.

C. REGULATORY POSITION

1. PHYSICAL BARRIERS

1.1 Openings in Vital Area Barriers (Excluding Doors)

According to paragraph 73.55(c),

access to vital areas requires passage through at least two physical barriers of sufficient strength to meet the performance requirements of paragraph 73.55(a). Accordingly, no accessible openings in vital areas should exist. Heating ventilation-air conditioning ducts, cable tray penetrations, ventilation fans, etc. should be protected by gratings or other materials so that the integrity of the barrier is not decreased. In addition, the barrier should be constructed of materials that provide delay to forced entry. Such materials should be resistant to cutting, drilling, and puncture by small hand tools or tool substitutes.

Examples of hardening techniques are described in the appendix. These techniques serve as guidelines for several cost-effective ways of increasing penetration resistance time without impairing the function of the penetration. Other techniques are acceptable, as long as the penetration area is hardened at least to the level of the weakest part of the barrier.

The licensee should also ensure that safety systems are not compromised by such barriers.

USNRC REGULATORY GUIDES

The guides are Issued In the following ten broad divisions:

Regulatory Guides are Issued to describe and make available to the public methods acceptable to the NRC staff of Implementing

1. Power Reactors

6. Products specific parts of the Commission's regulations, to delineate tech-

2. Research and Test Reactors

7. Transportation niques used bY the staff In evaluating specific problems or postu-

3. Fuels and Materials Facilities

8. Occupational Health lated accidents or to provide guidance to applicant

s. Regulatory

4. Environmental and Siting

9. Antitrust and Financial Review Guides are not substitutes for regulations, and compliance with

5. Materialsand Plant Protection 10. General them Is not required. Methods and solutions different from those set out In the guides will be acceptable if they provide a basis for the findings requisite to the Issuance or continuance of a permit or Copies of Issued guides may be purchased from the Government licensePrnng ofe at the current GPO price. information on current GPO prices may be obtained by contacting the Superintendent of This guide was Issued after consideration of comments received from Documents, U.S. Government Printing Ofrice, Post Office Box the public. Comments and suggestions for Improvements In these

37082, Washington, OC 20013-7082, telephone (202)275-2060 or guides are encouraged at all times, and guides will be revised, as

(202)275-2171.

appropriate, to accommodate comments and to reflect now Informs onorxeine comnsnoelcm Issued guides may also be purchased from the National Technical Written comments may be submitted to the Rules and Procedures Information Service on a standing order basis. Details on this Branch, ORR

ADM,

U.S.

Nuclear Regulatory Commission, service may be obtained by writing NTIS, 5285 Port Royal Road, Washinton, D6 20555.

Springfield, VA 22161.

1.2 Separation of Protected Area and Vital Area Barriers at Water Sources

"Water sources designated, as vital must be afforded the protection measures required of a vital area under

§ 73.55. These requirements, in part, state:

The licensee shall locate vital equipment only within a vital area, which in turn, shall be located within a pro tected area such that access to vital equipment requires passage through at least two physical barriers of suffi cient strength to meet the performance requirements of paragraph(a) of this section. More than one vital area may be located within a single protected area.

Protection of water sources designated as vital is complicated by the wide-ranging configurations of these sources and, in some cases, it is not practical to separate protected and vital area barriers to these sources, e.g., at water intake structures.

The intake structures for vital water sources located at the main protected area barrier are considered to meet requirements for vital areas if the structure is Seismic Category I reinforced concrete and, in the case of the essential service water intake structure designated as vital, if the intake structure (1)is secured with screening or grill to prevent introduction of large objects,

(2)has double barriers on any nonwater side that contains a movable opening, (3)is equipped with heavy duty doors that provide delay to penetration, (4)is kept under constant surveillance by closed circuit TV for rapid assessment, and (5)is protected by an intrusion alarm system.

In all cases, associated piping, valves, pumps, and con trols should be either buried or enclosed in a substantial structureý with hatches, ports, and other openings locked and alarmed. Manholes that provide access to vital equip ment or the protected area and are located within the owner-controlled area should be locked and alarmed if the cover can be lifted without the aid of machinery.

2. TIME-DEPENDENT VITAL AREAS (SPENT FUEL

POOLS)

Spent fuel pools are currently provided vital area pro tection in accordance with § 73.55. However, it is recog nized that the radiation levels of spent fuel decay rapidly after removal from the reactor core and eventu ally do not require vital area protection because the potential for a Part 100 release** is remote. Accordingly,

• A substantial structure means a structure that meets the require.

ments of paragraph 73.2(f)(2)'or its equivalent.

• • The criteria in § 100.11 of 10CFR Part 100 specify refer.

ence values to be used in the evaluation of reactor sites with respect to potential reactor accidents of exceedingly low probability of occurrence and low risk of public exposure to radiation. Those reference values are a total radiation dose iaexcess of 25 rem to the whole body or a total radiation dose in excess of 300 rem to the thyroid from Iodine exposure (based on a 2-hour exposure time commencing Immediately following the onset of the postulated ission product release).

under an alternative safeguards approach, spent fuel pools could be included in vital areas during that period when the spent fuel pools pose a threat to public health and safety. After this initial period, licensees would have the option of relaxing the *spent fuel pool safeguards.

3. CONTROL OF ACCESS TO VITAL AREAS UNDER

ROUTINE CONDITIONS

3.1 Access Lists Paragraph 73.55(dX7)(i)(A) requires that the licensee establish current authorization access lists for each vital area. The access list should be updated and reapproved by the cognizant licensee manager or supervisor on the last working day of each calendar month. The access list should include only those individuals whose specific duties require that they have access to the vital area during routine operations. Certain access controls may be suspended during emergency or abnormal plant conditions, and the list would be unnecessary under these circumstances. Therefore, the names of emergency response personnel need not be on the list..

3.2 Logging Requirements Licensees are required to keep a log that indicates name, badge number, time of entry, and time of exit of all individuals granted access to a vital area except to the reactor control room. The intent is to maintain a record of personnel access and egress for each specific vital area. This may be accomplished through the use of computer-controlled access devices. A log documenting personnel access and egress for the reactor control room is not needed because this area is always occupied.

3.3 Revocation of Access Authorization Paragraph 73.55(dX7)(i)(C)

requires the licensee to revoke an individual's access authorization and retrieve that individual's identification badge and other entry devices, as applicable, prior to or simultaneously with the notification to the individual of the termination when the termination is involuntary and for cause.

Under these circumstances, the licensee should have in place the mechanisms or procedures necessary to ensure that such individuals cannot gain unescorted access to the site. This provision is intended to reduce oppor tunities for disgruntled individuals to have access to the reactor facility.

3.4 Locks, Alarms, and Emergency Controls for Unattended Vital Area Doors In the interest of controlling access to vital areas in the accomplishment of the safeguards objective, para.

graph 73.55(dX7Xi)(D) requires that the licensee lock and protect unoccupied vital areas by an activated intrusion alarm system, e.g., a balanced magnetic switch.

The licensee should protect a vital area by maintain ing locks and alarms on all doors that are not attended

5.65-2 K

access control points. Acceptable criteria for the use and selection of commercially available locks are found in Regulatory Guide 5.12, "General Use of Locks In the Protection and Control of Facilities and Special. Nuclear'

Materials."

Descriptions of various surface protection

• "

alarms and guidance on testing and maintaining alarm systems can be found in NUREG-0320, "Interior Intru sion Alarm Systems."

The licensee should install "panic"

hardware and establish procedures that permit rapid and orderly egress from vital areas in the event of an emergency situation.

Emergency exit doors that have "panic"

hardware should be alarmed to the central and second ary alarm stations so the use of such doors can be monitored.

4. EMERGENCY ACCESS TO VITAL AREAS

During emergencies or abnormal conditions, it may be necessary for certain licensee personnel to gain quick access to vital equipment in order to mitigate or terminate some adverse plant condition. Also, it is important to ensure that personnel can quickly evacuate vital areas if the emergency condition results in high radiation or other dangerous conditions within the vital area.

Thus, paragraph 73.55(d)(7Xii)(A)

requires that licensees ensure prompt access to vital equipment during emergencies or abnormal conditions.

Licensees can provide for rapid ingress/egress during such conditions by providing backup keys to vital areas and methods of opening locked doors in the case of computer or power failure.

4.1 Access Keys In the event of an emergency or abnormal condition at a power reactor, it may be necessary for certain personnel, particularly an operator, to have prompt access to vital areas or equipment. To facilitate access, operating personnel should be provided with keys to open doors that are locked for security or other purposes.

4.2 Access Codes and Antipassback Control Features It has been observed that the use of individual manually entered identification codes and the use of the

"antipassback" feature programmed into card key com puters hamper ingress because of mistaken entries, poor memories, entry denial for failure to log out of an area, etc. In order to minimize the impact on safety by ensuring prompt access, the use of manually entered codes and the antipassback feature in vital area access control systems is not required or recommended by the NRC.

• Copies may be obtained from the Superintendent of Docu ments, U.S. Government Printing Office, Post Office Box 37082,

,'

Washington, DC 20013-7082.

4.3 Loss of Electric Power In order to facilitate safety, the licensee should provide for rapid ingress/egress during a computer or power outage. If vital area doors are not specifically required by the licensee's physical security plan to fail in the closed position upon loss of electric power, procedures that provide for prompt compensatory measures in opening locked doors should be established.

The following are acceptable procedures for providing for safe ingress/egress during a power or computer outage:

I. Have locks on interior vital area doors fail open during an outage or emergency and have guards immedi ately deployed to monitor ingress/egress.

2. Use an uninterruptible power supply system for electrical locking devices.

3. Have locks fail closed and provide keyed bypass locks for vital areas. Ensure that all necessary personnel have keys.

4. Have locks fail closed and install crash ("panic")

bars and alarms on doors for emergency ingress/egress.

S. SUSPENDING SECURITY MEASURES

5.1 Authority Paragraph 73.55(a) permits the licensee to suspend any safeguards measures pursuant to § 73.55 in an emergency in accordance with paragraphs 50.54(x) and (y) of 10 CFR Part 50. If immediately needed to pro tect the public health and safety, such suspension is permissible provided that (I) the action taken is approved, as a minimum, by a licensed senior operator prior to the emergency action being implemented and

(2)all safeguards measures are restored as soon as practicable following the suspension. This flexibility will accommodate the potential need for rapid response to emergency or abnormal conditions.

The licensee should specify in the physical security or contingency plan the individual, by title, responsible for relaxing security requirements If necessary during emer gencies. The plan should also specify a chain of respon sibility for suspension of safeguards requirements in the event that the first designated individual is unavailable.

S.2 Conditions The authority to suspend safeguards measures should be exercised only when site conditions are or may soon become a danger to the public health and safety. Secu rity measures should be relaxed only to the extent necessary to accommodate the emergency situation in accordance with paragraphs 50.54(x)

and (y). Each instance in which safeguards requirements are suspended without approved compensatory measures would have to

5.65-3

be reported to the NRC under the provisions of § 73.71 as an event that lessens the effectiveness of safeguards.

5.3 Controls That Can Be Suspended During an Emergency The types of controls that could be suspended in an emergency might include but are not limited to the following:

1. The search and identification of personriel required by paragraph 73.55(d)(1),

2. The search of hand-carried items required by paragraph 73.55(dX2),.

3. The search of vehicles required by paragraph

73.55(d)(4),

4. The use of a badge identification system required by paragraph 73.55(dX5),

5. The registration of personnel required by paragraph

73.55(d)(6), and

6. The access controls for vital areas in paragraph

73.55(d)(7).

5.4 Use of Escorts In the event safeguards controls are suspended, the licensee should use escorts to the extent possible.

Offsite response personnel should be escorted by desig nated licensee personnel with operable two-way radio communications to the central and secondary alarm stations. At least one escort. should accompany each emergency vehicle, and all offaite emergency response personnel should be in view of the escort at all times unless this would constitute a danger to the escort For the purpose of this guide, an escort is defined as a member of the security organization or other designated individual responsible for accompanying those personnel not allowed unescorted access within a protected area.

An escort is not required to possess a technical knowl edge of the plant's processes or equipment..

5.5 Access Controls for Emergency Response During Drills or Exercises During a preplanned drill or exercise, the offsite emergency response personnel may enter the protected areas, and certain access-safeguards requirements may be waived provided that:

"* The NRC is notified in advance of the drill what measures will be waived and when the drill is scheduled,

"* Each vehicle is escorted, by a member of the licensee's security organization equipped with two way radio communication to the alarm station,

"* All emergency response personnel remain within'

view of the licensee's escort at all times, and

"* The licensee positively identifies at least one member of the emergency' response team who verifies that the other' personnel are bona fide members of the responding organization.

The iccess-safeguards requirements that may be waived are:

• ' Search and identification of emergency response personnel,

• Search of emergency response vehicles,

• Search of hand-carried packages and equipment, and

• Badging and registration of emergency response personnel.

The drill or, exercise must. stop at the vital area boundary; there is no regulatory authority for relaxation of controls into vital areas during any nonemergency situation. If itis considered necessary to familiarize the emergency.

response personnel with plant layout, including vital areas, the full security plan, measures must first. be applied.

6. PHYSICALPROTECTIONPLAN AND CONTINGENCY

PLAN INTERFACE

Paragraph 73.55(d)(7)(ii)

requires that the licensee design the access authorization system to accommodate the potential need for rapid ingress or egress of indi viduals during emergency conditions or situations that could lead to emergency 'conditions. In order to facilitate ingress/egress during such conditions, the licensee should conduct 'periodic reviews of security and contingency plans and ensure pr ompt access to vital equipment.

6.1 Periodic Review of Security and Contingency Plans Paragraph 73.55(d)(7)(ii)(B) requires that the licensee periodically review physical security plans and contin gency: plans and procedures to evaluate their potential impact on plant and personnel safety. The licensee should conduct such review annually to ensure that security procedures do not adversely affect the proce dures outlined for emergency or abnormal conditions.

Licensees should also review the plans whenever changes are made that could affect plant or personnel safety or when the licensee becomes aware of a procedure that could affect safety. Licensees may use the Plant Opera tions Review Committee (PORC), quality assurance audit programs, corrective action reporting systems, or other appropriate programs 'to monitor the. potential . for.

safety/security impacts.

5.654

6.2 Cross-Training Interface problems between security and operations are reduced when the respective staffs are made aware, through cross-training and indoctrination, of the roles, responsibilities, and general practices of both organiza tions. The licensee should provide personnel with oppor tunities to learn about the other organization.

7. PROTECTION OF SECURITY EQUIPMENT

Paragraph 73.55(e)(1) requires, in part, that onsite secondary power supply systems for alarm annunciation equipment and nonportable communication equipment be located in vital areas. Protection of these items of equipment is necessary to reduce vulnerabilities in the system because their sabotage could significantly impact the safeguards of a plant. Therefore, licensees are required to locate these pieces of equipment In vital areas.

8. KEYS AND LOCKS

Paragraph 73.55(dX9)

requires, in part, that keys, locks, combinations, and related access control devices be controlled to reduce the probability of compromise.

The licensee is required to change or rotate all keys, locks, and combinations at least every 12 months or whenever there is evidence or suspicion that any key, lock, combination, Or related access control device has been compromised. Such suspicion may be interpreted as the reasonable belief that compromise has occurred even though physical evidence has yet to be uncovered.

Changes should also be made whenever a person who had access to protected areas or vital areas is terminated for cause.

Keys, combinations, and other access control devices should-be issued only to those individuals possessing an unescorted access authorization.

D. IMPLEMENTATION

The purpose of this section is to provide information to applicants regarding the NRC staff's plans for using this regulatory guide.

Except in those cases in which an applicant or licensee proposes an acceptable alternative method for complying with specified portions of the Commission's regulations, the methods presented in this guide'will be usd in the evaluation of security methods and proce dures for all operating plants and plants that have not received an operating license.

5.65-5

The -purpose of this appendix Is t9 provide examples

• CR-1378, "Hardening Existing Strategic Special Nuclear of techniques pertaining to methods of hardening open- Material Storage Facilities,"* June 1980.

ings in ceilings and walls of vital areas.

ompt.

may be obtained from the Superintendent of Docu Uments,

.& Government Printing Office, Post Office Box 37082, Techniques through 3, are excerpted from NUREG/

Washington, DC 20013-7082.

Technique No. 1 I

Hardening Opening In Ceiling or Wall EXISTING STRUCTURE: Opening in ceiling or wall TOOLS REQUIRED FOR PENETRATION:

Depends on existing opqning PENETRATION TIME: Depends on existing opening HARDENING ACTION:

1. Add strong steel jamb to opening.

2. Form three separate grates by welding No. 4 or No. 5 rebar into 6-inch (15-cm) grids. Weld grates to inside, center, and .outer lips of jamb. (Another method is to weld six separate layers of rebar alternating vertical and horizontal and offset from each other.)

3. Add a baffle on inside for openings in vital areas if accessible.

INCREASED PENETRATION RESISTANCE TIME: Approximately 15 minutes ADDITIONAL PENETRATION TOOLS REQUIRED: Boltcutters ADVANTAGES OF TECHNIQUE:

1. Multiple layers to penetrate

2. Delay time can be increased by increasing either size of rebar or numbers of rebar.

5.65-6

-3k EXISTING STRUCTURE

SIDE VIEW

WALL

HARDENED STRUCTURE

SIDE VIEW

'A

--

END OR TOP VIEW

WALL WALL

WALL

!A

0%

,t,

,.4 EXAMPLE REPRESENTS A

2r" x 24" OPENING CLOSED

UP WITH NO. 4 REBAR

PENETRATION TIME

0

APPF

-C

• NO.4 OR NO. 5

"REBAR

PENETRATION TIME

OXIMATELY 15--27 MINUTES

IEPENDING UPON DESIGN :

Technique NO. 1 WALL

Technique No. 2, Hardening a Duct In a Ceiling or Wl1 Where Air Flow is Required EXISTING STRUCTURE: Duct opening in ceiling or wall where air flow Is required TOOLS REQUIRED FOR PENETRATION:

Depends on existing opening PENETRATION TIME: Approximately 1 minute for a 24 x 24 in. (61 x 61 cm) duct (horizontal)

HARDENING ACTION:

I. Line duct with coils of general purpose barbed tape obstacle (GPBTO) or concertina. If coils cannot be used, bands or ribbons of barbed tape can be riveted to walls.

2. Attach diffusers with 16 quarter-inch bolts.

INCREASED PENETiATION RESISTANCE TIME: Approximately 10 minutes ADDITIONAL PENETRATION TOOLS REQUIRED: Depends on installation method for barbed tape ADVANTAGES OF TECHNIQUE:

1. Greatly hampers crawl-through

2. Various installation methods allow upgrading with minimal effects on duct performance.

5.65-8

Existing Structure (Diffusers Niot Shown)

Front View PENETRATION TIME

Approximately 1 Minute Hardened Structure (Diffusers Not Shown)

Front View PENETRATION TIME

Approximately 10 Minutes Technique No. 2 o01 ts

Technique No. 3 Hardening Opening in Ceiling or Wall Where Air Flow Is Required EXISTING STRUCTURE: Opening of any size TOOLS REQUIRED FOR PENETRATION: Depends on existing opening PENETRATION TIME: Depends on existing opening HARDENING ACTION:

I. Add strong steel jamb to opening.

2. Weld steel pipes no larger than 3 inches (7.5 cm) in diameter together and then weld to steel jamb.

INCREASED PENETRATION RESISTANCE TIME: More than IS minutes ADDITIONAL PENETRATION TOOLS REQUIRED: Cutting torch ADVANTAGES OF TECHNIQUE:

1. Allows air flow.

3. Reduces bodily access.

5.65-10

EXISTING OPENING

SIDE VIEW

WALL

OPEN

HARDENED OPENING

SIDE VIEW

WALL

MAX. 3" DIA.

PENETRATION TIME

DEPENDS ON EXISTING OPENING

PENETRATION TIME

APPROXIMATELY 49 MINUTES

Technique No. 3 V,

WALL

• 0,

TOP VIEW

VALUE/IMPACT STATEMENT

A separate value/impact statement has not been pre pared for this regulatory guide. The guide was developed.

to present approaches acceptable to the NRC staff for fostering plant safety while maintaining adequate safe.

guards In accordance with amendments to 10 CFR Part 73. A value/impact statement prepared for these amend meuts was made available in the NRC-Public Document Room at the time they were published. This value/

impact statement Is also appropriate to this regulatory guide.

'4

4, UNITED STATES

NUCLEAR REGULATORY COMMISSION

WASHINGTON, D.C. 20555 OFFICIAL BUSINESS

PENALTY FOR PRIVATE USE, $300

• '

r I.

V

..

FIRST CLASS MAIL

POSTAGE & FEES PAID

USN C

WAS". D.C.

PERMIT No. 0-67

5.65-12 fl